VirusTotal Integration

[Md Mojadded Alam]

How to integrate virus total on a newly installed wazuh.

[Emmanuel Sadiq]

Hello Md,
Thank you for using Wazuh. 

To integrate virustotal on wazuh kindly follow this guide. 
I hope this information is helpful. 

Best regards. 

[Jackpot_Cybersenses]

Frist create an account with VT and copy your API key.

Then enable VT integration in the Wazuh Manager.

Now write the line of code via manager or cli:

===============

  <integration>
    <name>virustotal</name>
    <api_key>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</api_key> <!-- Replace with your VirusTotal API key -->
    <rule_id>554</rule_id>
    <alert_format>json</alert_format>
  </integration>

================

To test the integrations, add to the agent.conf on the Wazuh manger or the agent itself with this line of code:

==================================

<agent_config>
<!-- Shared agent configuration here -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<os>yes</os>
<packages>yes</packages>
<hotfixes>yes</hotfixes>
</wodle>
<syscheck>
<directories check_all="yes" realtime="yes">C:\Users\*\Downloads</directories> <!--ADD THIS-->
</syscheck>
</agent_config>

==============================

After that is restart the wazuh manager just for the sake of mind.

==============================

systemctl restart wazuh-manager
==============================

Then go to eicar.org/download-anti-malware-testfile/ and download it to an agent, keep in mind that the folder should be C:\Users\*\Downloads of any user on the machine.

To validate go back to VT login and on the menu select API KEY:

Or check the Wazuh Manager for events:

Let me know if you get a problem.

Kind regards.

[Jackpot_Cybersenses]

For more detailed read:  VirusTotal integration - Malware detection · Wazuh documentation   

[Md Mojadded Alam]

Thanks a lot 
Jackpot_Cybersenses